Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2025-50681
Publication date:
19/12/2025
igmpproxy 0.4 before commit 2b30c36 allows remote attackers to cause a denial of service (application crash) via a crafted IGMPv3 membership report packet with a malicious source address. Due to insufficient validation in the `recv_igmp()` function in src/igmpproxy.c, an invalid group record type can trigger a NULL pointer dereference when logging the address using `inet_fmtsrc()`. This vulnerability can be exploited by sending malformed multicast traffic to a host running igmpproxy, leading to a crash. igmpproxy is used in various embedded networking environments and consumer-grade IoT devices (such as home routers and media gateways) to handle multicast traffic for IPTV and other streaming services. Affected devices that rely on unpatched versions of igmpproxy may be vulnerable to remote denial-of-service attacks across a LAN .
Severity CVSS v4.0: Pending analysis
Last modification:
19/12/2025

CVE-2025-14950
Publication date:
19/12/2025
A weakness has been identified in code-projects Scholars Tracking System 1.0. The affected element is an unknown function of the file /delete_post.php. This manipulation of the argument ID causes sql injection. Remote exploitation of the attack is possible. The exploit has been made available to the public and could be exploited.
Severity CVSS v4.0: MEDIUM
Last modification:
19/12/2025

CVE-2025-14946
Publication date:
19/12/2025
A flaw was found in libnbd. A malicious actor could exploit this by convincing libnbd to open a specially crafted Uniform Resource Identifier (URI). This vulnerability arises because non-standard hostnames starting with '-o' are incorrectly interpreted as arguments to the Secure Shell (SSH) process, rather than as hostnames. This could lead to arbitrary code execution with the privileges of the user running libnbd.
Severity CVSS v4.0: Pending analysis
Last modification:
19/12/2025

CVE-2025-1928
Publication date:
19/12/2025
Improper Restriction of Excessive Authentication Attempts vulnerability in Restajet Information Technologies Inc. Online Food Delivery System allows Password Recovery Exploitation.This issue affects Online Food Delivery System: through 19122025.
Severity CVSS v4.0: Pending analysis
Last modification:
19/12/2025

CVE-2025-14882
Publication date:
19/12/2025
An API endpoint allowed access to sensitive files from other users by knowing the UUID of the file that were not intended to be accessible by UUID only.
Severity CVSS v4.0: LOW
Last modification:
19/12/2025

CVE-2025-14881
Publication date:
19/12/2025
Multiple API endpoints allowed access to sensitive files from other users by knowing the UUID of the file that were not intended to be accessible by UUID only.
Severity CVSS v4.0: LOW
Last modification:
19/12/2025

CVE-2025-1885
Publication date:
19/12/2025
URL Redirection to Untrusted Site ('Open Redirect') vulnerability in Restajet Information Technologies Inc. Online Food Delivery System allows Phishing, Forceful Browsing.This issue affects Online Food Delivery System: through 19122025.
Severity CVSS v4.0: Pending analysis
Last modification:
19/12/2025

CVE-2025-1927
Publication date:
19/12/2025
Cross-Site Request Forgery (CSRF) vulnerability in Restajet Information Technologies Inc. Online Food Delivery System allows Cross Site Request Forgery.This issue affects Online Food Delivery System: through 19122025.
Severity CVSS v4.0: Pending analysis
Last modification:
19/12/2025

CVE-2025-14847
Publication date:
19/12/2025
Mismatched length fields in Zlib compressed protocol headers may allow a read of uninitialized heap memory by an unauthenticated client. This issue affects all MongoDB Server v7.0 prior to 7.0.28 versions, MongoDB Server v8.0 versions prior to 8.0.17, MongoDB Server v8.2 versions prior to 8.2.3, MongoDB Server v6.0 versions prior to 6.0.27, MongoDB Server v5.0 versions prior to 5.0.32, MongoDB Server v4.4 versions prior to 4.4.30, MongoDB Server v4.2 versions greater than or equal to 4.2.0, MongoDB Server v4.0 versions greater than or equal to 4.0.0, and MongoDB Server v3.6 versions greater than or equal to 3.6.0.
Severity CVSS v4.0: HIGH
Last modification:
19/12/2025

CVE-2025-14455
Publication date:
19/12/2025
The Image Photo Gallery Final Tiles Grid plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 3.6.7. This is due to the plugin not properly verifying that a user is authorized to perform actions on gallery management functions. This makes it possible for authenticated attackers, with Contributor-level access and above, to delete, modify, or clone galleries created by any user, including administrators.
Severity CVSS v4.0: Pending analysis
Last modification:
19/12/2025

CVE-2025-66524
Publication date:
19/12/2025
Apache NiFi 1.20.0 through 2.6.0 include the GetAsanaObject Processor, which requires integration with a configurable Distribute Map Cache Client Service for storing and retrieving state information. The GetAsanaObject Processor used generic Java Object serialization and deserialization without filtering. Unfiltered Java object deserialization does not provide protection against crafted state information stored in the cache server configured for GetAsanaObject. Exploitation requires an Apache NiFi system running with the GetAsanaObject Processor, and direct access to the configured cache server. Upgrading to Apache NiFi 2.7.0 is the recommended mitigation, which replaces Java Object serialization with JSON serialization. Removing the GetAsanaObject Processor located in the nifi-asana-processors-nar bundle also prevents exploitation.
Severity CVSS v4.0: HIGH
Last modification:
19/12/2025

CVE-2025-12361
Publication date:
19/12/2025
The myCred – Points Management System For Gamification, Ranks, Badges, and Loyalty Program plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 2.9.7.1. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with Subscriber-level access and above, to retrieve sensitive information including user IDs, display names, and email addresses of all users on the site via the get_bank_accounts AJAX action. Passwords are not exposed.
Severity CVSS v4.0: Pending analysis
Last modification:
19/12/2025
Subscribe to Vulnerabilities